diff --git a/hostapd/Android.mk b/hostapd/Android.mk index 8fd6fa09f..6a62d3928 100644 --- a/hostapd/Android.mk +++ b/hostapd/Android.mk @@ -455,6 +455,7 @@ ifdef CONFIG_EAP_PWD L_CFLAGS += -DEAP_SERVER_PWD OBJS += src/eap_server/eap_server_pwd.c src/eap_common/eap_pwd_common.c NEED_SHA256=y +NEED_ECC=y endif ifdef CONFIG_EAP_EKE diff --git a/hostapd/Makefile b/hostapd/Makefile index eb3567293..cb146dabd 100644 --- a/hostapd/Makefile +++ b/hostapd/Makefile @@ -489,6 +489,7 @@ ifdef CONFIG_EAP_PWD CFLAGS += -DEAP_SERVER_PWD OBJS += ../src/eap_server/eap_server_pwd.o ../src/eap_common/eap_pwd_common.o NEED_SHA256=y +NEED_ECC=y endif ifdef CONFIG_EAP_EKE diff --git a/src/eap_common/eap_pwd_common.c b/src/eap_common/eap_pwd_common.c index 67f8f7098..5e986822d 100644 --- a/src/eap_common/eap_pwd_common.c +++ b/src/eap_common/eap_pwd_common.c @@ -91,91 +91,33 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, const u8 *id_peer, size_t id_peer_len, const u8 *token) { - BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL; struct crypto_hash *hash; unsigned char pwe_digest[SHA256_MAC_LEN], *prfbuf = NULL, ctr; - int nid, is_odd, ret = 0; + int is_odd, ret = 0; size_t primebytelen, primebitlen; - - switch (num) { /* from IANA registry for IKE D-H groups */ - case 19: - nid = NID_X9_62_prime256v1; - break; - case 20: - nid = NID_secp384r1; - break; - case 21: - nid = NID_secp521r1; - break; -#ifndef OPENSSL_IS_BORINGSSL - case 25: - nid = NID_X9_62_prime192v1; - break; -#endif /* OPENSSL_IS_BORINGSSL */ - case 26: - nid = NID_secp224r1; - break; -#ifdef NID_brainpoolP224r1 - case 27: - nid = NID_brainpoolP224r1; - break; -#endif /* NID_brainpoolP224r1 */ -#ifdef NID_brainpoolP256r1 - case 28: - nid = NID_brainpoolP256r1; - break; -#endif /* NID_brainpoolP256r1 */ -#ifdef NID_brainpoolP384r1 - case 29: - nid = NID_brainpoolP384r1; - break; -#endif /* NID_brainpoolP384r1 */ -#ifdef NID_brainpoolP512r1 - case 30: - nid = NID_brainpoolP512r1; - break; -#endif /* NID_brainpoolP512r1 */ - default: - wpa_printf(MSG_INFO, "EAP-pwd: unsupported group %d", num); - return -1; - } + struct crypto_bignum *x_candidate = NULL, *rnd = NULL, *cofactor = NULL; grp->pwe = NULL; - grp->order = NULL; - grp->prime = NULL; - - if ((grp->group = EC_GROUP_new_by_curve_name(nid)) == NULL) { - wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC_GROUP"); + grp->group = crypto_ec_init(num); + if (!grp->group) { + wpa_printf(MSG_INFO, "EAP-pwd: unable to create EC group"); goto fail; } - if (((rnd = BN_new()) == NULL) || - ((cofactor = BN_new()) == NULL) || - ((grp->pwe = EC_POINT_new(grp->group)) == NULL) || - ((grp->order = BN_new()) == NULL) || - ((grp->prime = BN_new()) == NULL) || - ((x_candidate = BN_new()) == NULL)) { + cofactor = crypto_bignum_init(); + grp->pwe = crypto_ec_point_init(grp->group); + if (!cofactor || !grp->pwe) { wpa_printf(MSG_INFO, "EAP-pwd: unable to create bignums"); goto fail; } - if (!EC_GROUP_get_curve_GFp(grp->group, grp->prime, NULL, NULL, NULL)) - { - wpa_printf(MSG_INFO, "EAP-pwd: unable to get prime for GFp " - "curve"); - goto fail; - } - if (!EC_GROUP_get_order(grp->group, grp->order, NULL)) { - wpa_printf(MSG_INFO, "EAP-pwd: unable to get order for curve"); - goto fail; - } - if (!EC_GROUP_get_cofactor(grp->group, cofactor, NULL)) { + if (crypto_ec_cofactor(grp->group, cofactor) < 0) { wpa_printf(MSG_INFO, "EAP-pwd: unable to get cofactor for " "curve"); goto fail; } - primebitlen = BN_num_bits(grp->prime); - primebytelen = BN_num_bytes(grp->prime); + primebitlen = crypto_ec_prime_len_bits(grp->group); + primebytelen = crypto_ec_prime_len(grp->group); if ((prfbuf = os_malloc(primebytelen)) == NULL) { wpa_printf(MSG_INFO, "EAP-pwd: unable to malloc space for prf " "buffer"); @@ -207,15 +149,25 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, eap_pwd_h_update(hash, &ctr, sizeof(ctr)); eap_pwd_h_final(hash, pwe_digest); - BN_bin2bn(pwe_digest, SHA256_MAC_LEN, rnd); - + crypto_bignum_deinit(rnd, 1); + rnd = crypto_bignum_init_set(pwe_digest, SHA256_MAC_LEN); + if (!rnd) { + wpa_printf(MSG_INFO, "EAP-pwd: unable to create rnd"); + goto fail; + } if (eap_pwd_kdf(pwe_digest, SHA256_MAC_LEN, (u8 *) "EAP-pwd Hunting And Pecking", os_strlen("EAP-pwd Hunting And Pecking"), prfbuf, primebitlen) < 0) goto fail; - BN_bin2bn(prfbuf, primebytelen, x_candidate); + crypto_bignum_deinit(x_candidate, 1); + x_candidate = crypto_bignum_init_set(prfbuf, primebytelen); + if (!x_candidate) { + wpa_printf(MSG_INFO, + "EAP-pwd: unable to create x_candidate"); + goto fail; + } /* * eap_pwd_kdf() returns a string of bits 0..primebitlen but @@ -224,11 +176,14 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, * then excessive bits-- those _after_ primebitlen-- so now * we have to shift right the amount we masked off. */ - if (primebitlen % 8) - BN_rshift(x_candidate, x_candidate, - (8 - (primebitlen % 8))); + if ((primebitlen % 8) && + crypto_bignum_rshift(x_candidate, + (8 - (primebitlen % 8)), + x_candidate) < 0) + goto fail; - if (BN_ucmp(x_candidate, grp->prime) >= 0) + if (crypto_bignum_cmp(x_candidate, + crypto_ec_get_prime(grp->group)) >= 0) continue; wpa_hexdump(MSG_DEBUG, "EAP-pwd: x_candidate", @@ -238,40 +193,38 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, * need to unambiguously identify the solution, if there is * one... */ - if (BN_is_odd(rnd)) - is_odd = 1; - else - is_odd = 0; + is_odd = crypto_bignum_is_odd(rnd); /* * solve the quadratic equation, if it's not solvable then we * don't have a point */ - if (!EC_POINT_set_compressed_coordinates_GFp(grp->group, - grp->pwe, - x_candidate, - is_odd, NULL)) + if (crypto_ec_point_solve_y_coord(grp->group, grp->pwe, + x_candidate, is_odd) != 0) { + wpa_printf(MSG_INFO, "EAP-pwd: Could not solve for y"); continue; + } /* * If there's a solution to the equation then the point must be * on the curve so why check again explicitly? OpenSSL code * says this is required by X9.62. We're not X9.62 but it can't * hurt just to be sure. */ - if (!EC_POINT_is_on_curve(grp->group, grp->pwe, NULL)) { + if (!crypto_ec_point_is_on_curve(grp->group, grp->pwe)) { wpa_printf(MSG_INFO, "EAP-pwd: point is not on curve"); continue; } - if (BN_cmp(cofactor, BN_value_one())) { + if (!crypto_bignum_is_one(cofactor)) { /* make sure the point is not in a small sub-group */ - if (!EC_POINT_mul(grp->group, grp->pwe, NULL, grp->pwe, - cofactor, NULL)) { + if (crypto_ec_point_mul(grp->group, grp->pwe, + cofactor, grp->pwe) != 0) { wpa_printf(MSG_INFO, "EAP-pwd: cannot " "multiply generator by order"); continue; } - if (EC_POINT_is_at_infinity(grp->group, grp->pwe)) { + if (crypto_ec_point_is_at_infinity(grp->group, + grp->pwe)) { wpa_printf(MSG_INFO, "EAP-pwd: point is at " "infinity"); continue; @@ -284,37 +237,38 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, grp->group_num = num; if (0) { fail: - EC_GROUP_free(grp->group); + crypto_ec_deinit(grp->group); grp->group = NULL; - EC_POINT_clear_free(grp->pwe); + crypto_ec_point_deinit(grp->pwe, 1); grp->pwe = NULL; - BN_clear_free(grp->order); - grp->order = NULL; - BN_clear_free(grp->prime); - grp->prime = NULL; ret = 1; } /* cleanliness and order.... */ - BN_clear_free(cofactor); - BN_clear_free(x_candidate); - BN_clear_free(rnd); + crypto_bignum_deinit(cofactor, 1); + crypto_bignum_deinit(x_candidate, 1); + crypto_bignum_deinit(rnd, 1); os_free(prfbuf); return ret; } -int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k, - const BIGNUM *peer_scalar, const BIGNUM *server_scalar, +int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k, + const struct crypto_bignum *peer_scalar, + const struct crypto_bignum *server_scalar, const u8 *confirm_peer, const u8 *confirm_server, const u32 *ciphersuite, u8 *msk, u8 *emsk, u8 *session_id) { struct crypto_hash *hash; u8 mk[SHA256_MAC_LEN], *cruft; u8 msk_emsk[EAP_MSK_LEN + EAP_EMSK_LEN]; - int offset; + size_t prime_len, order_len; - if ((cruft = os_malloc(BN_num_bytes(grp->prime))) == NULL) + prime_len = crypto_ec_prime_len(grp->group); + order_len = crypto_ec_order_len(grp->group); + + cruft = os_malloc(prime_len); + if (!cruft) return -1; /* @@ -328,14 +282,10 @@ int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k, return -1; } eap_pwd_h_update(hash, (const u8 *) ciphersuite, sizeof(u32)); - offset = BN_num_bytes(grp->order) - BN_num_bytes(peer_scalar); - os_memset(cruft, 0, BN_num_bytes(grp->prime)); - BN_bn2bin(peer_scalar, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order)); - offset = BN_num_bytes(grp->order) - BN_num_bytes(server_scalar); - os_memset(cruft, 0, BN_num_bytes(grp->prime)); - BN_bn2bin(server_scalar, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->order)); + crypto_bignum_to_bin(peer_scalar, cruft, order_len, order_len); + eap_pwd_h_update(hash, cruft, order_len); + crypto_bignum_to_bin(server_scalar, cruft, order_len, order_len); + eap_pwd_h_update(hash, cruft, order_len); eap_pwd_h_final(hash, &session_id[1]); /* then compute MK = H(k | confirm-peer | confirm-server) */ @@ -344,10 +294,8 @@ int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k, os_free(cruft); return -1; } - offset = BN_num_bytes(grp->prime) - BN_num_bytes(k); - os_memset(cruft, 0, BN_num_bytes(grp->prime)); - BN_bn2bin(k, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(grp->prime)); + crypto_bignum_to_bin(k, cruft, prime_len, prime_len); + eap_pwd_h_update(hash, cruft, prime_len); os_free(cruft); eap_pwd_h_update(hash, confirm_peer, SHA256_MAC_LEN); eap_pwd_h_update(hash, confirm_server, SHA256_MAC_LEN); diff --git a/src/eap_common/eap_pwd_common.h b/src/eap_common/eap_pwd_common.h index a0d717edf..7ac7b6aec 100644 --- a/src/eap_common/eap_pwd_common.h +++ b/src/eap_common/eap_pwd_common.h @@ -9,20 +9,14 @@ #ifndef EAP_PWD_COMMON_H #define EAP_PWD_COMMON_H -#include -#include -#include - /* * definition of a finite cyclic group * TODO: support one based on a prime field */ typedef struct group_definition_ { u16 group_num; - EC_GROUP *group; - EC_POINT *pwe; - BIGNUM *order; - BIGNUM *prime; + struct crypto_ec *group; + struct crypto_ec_point *pwe; } EAP_PWD_group; /* @@ -61,8 +55,9 @@ int compute_password_element(EAP_PWD_group *grp, u16 num, const u8 *id_server, size_t id_server_len, const u8 *id_peer, size_t id_peer_len, const u8 *token); -int compute_keys(EAP_PWD_group *grp, BN_CTX *bnctx, const BIGNUM *k, - const BIGNUM *peer_scalar, const BIGNUM *server_scalar, +int compute_keys(EAP_PWD_group *grp, const struct crypto_bignum *k, + const struct crypto_bignum *peer_scalar, + const struct crypto_bignum *server_scalar, const u8 *confirm_peer, const u8 *confirm_server, const u32 *ciphersuite, u8 *msk, u8 *emsk, u8 *session_id); struct crypto_hash * eap_pwd_h_init(void); diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c index ec277ac91..d62defe28 100644 --- a/src/eap_peer/eap_pwd.c +++ b/src/eap_peer/eap_pwd.c @@ -11,6 +11,7 @@ #include "common.h" #include "crypto/sha256.h" #include "crypto/ms_funcs.h" +#include "crypto/crypto.h" #include "eap_peer/eap_i.h" #include "eap_common/eap_pwd_common.h" @@ -36,18 +37,16 @@ struct eap_pwd_data { size_t out_frag_pos; size_t mtu; - BIGNUM *k; - BIGNUM *private_value; - BIGNUM *server_scalar; - BIGNUM *my_scalar; - EC_POINT *my_element; - EC_POINT *server_element; + struct crypto_bignum *k; + struct crypto_bignum *private_value; + struct crypto_bignum *server_scalar; + struct crypto_bignum *my_scalar; + struct crypto_ec_point *my_element; + struct crypto_ec_point *server_element; u8 msk[EAP_MSK_LEN]; u8 emsk[EAP_EMSK_LEN]; u8 session_id[1 + SHA256_MAC_LEN]; - - BN_CTX *bnctx; }; @@ -107,15 +106,8 @@ static void * eap_pwd_init(struct eap_sm *sm) return NULL; } - if ((data->bnctx = BN_CTX_new()) == NULL) { - wpa_printf(MSG_INFO, "EAP-PWD: bn context allocation fail"); - os_free(data); - return NULL; - } - if ((data->id_peer = os_malloc(identity_len)) == NULL) { wpa_printf(MSG_INFO, "EAP-PWD: memory allocation id fail"); - BN_CTX_free(data->bnctx); os_free(data); return NULL; } @@ -125,7 +117,6 @@ static void * eap_pwd_init(struct eap_sm *sm) if ((data->password = os_malloc(password_len)) == NULL) { wpa_printf(MSG_INFO, "EAP-PWD: memory allocation psk fail"); - BN_CTX_free(data->bnctx); bin_clear_free(data->id_peer, data->id_peer_len); os_free(data); return NULL; @@ -152,21 +143,18 @@ static void eap_pwd_deinit(struct eap_sm *sm, void *priv) { struct eap_pwd_data *data = priv; - BN_clear_free(data->private_value); - BN_clear_free(data->server_scalar); - BN_clear_free(data->my_scalar); - BN_clear_free(data->k); - BN_CTX_free(data->bnctx); - EC_POINT_clear_free(data->my_element); - EC_POINT_clear_free(data->server_element); + crypto_bignum_deinit(data->private_value, 1); + crypto_bignum_deinit(data->server_scalar, 1); + crypto_bignum_deinit(data->my_scalar, 1); + crypto_bignum_deinit(data->k, 1); + crypto_ec_point_deinit(data->my_element, 1); + crypto_ec_point_deinit(data->server_element, 1); bin_clear_free(data->id_peer, data->id_peer_len); bin_clear_free(data->id_server, data->id_server_len); bin_clear_free(data->password, data->password_len); if (data->grp) { - EC_GROUP_free(data->grp->group); - EC_POINT_clear_free(data->grp->pwe); - BN_clear_free(data->grp->order); - BN_clear_free(data->grp->prime); + crypto_ec_deinit(data->grp->group); + crypto_ec_point_deinit(data->grp->pwe, 1); os_free(data->grp); } wpabuf_free(data->inbuf); @@ -331,7 +319,7 @@ eap_pwd_perform_id_exchange(struct eap_sm *sm, struct eap_pwd_data *data, } wpa_printf(MSG_DEBUG, "EAP-PWD (peer): computed %d bit PWE...", - BN_num_bits(data->grp->prime)); + (int) crypto_ec_prime_len_bits(data->grp->group)); data->outbuf = wpabuf_alloc(sizeof(struct eap_pwd_id) + data->id_peer_len); @@ -356,10 +344,10 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, const struct wpabuf *reqData, const u8 *payload, size_t payload_len) { - EC_POINT *K = NULL, *point = NULL; - BIGNUM *mask = NULL, *x = NULL, *y = NULL, *cofactor = NULL; - u16 offset; - u8 *ptr, *scalar = NULL, *element = NULL; + struct crypto_ec_point *K = NULL, *point = NULL; + struct crypto_bignum *mask = NULL, *cofactor = NULL; + const u8 *ptr; + u8 *scalar = NULL, *element = NULL; size_t prime_len, order_len; if (data->state != PWD_Commit_Req) { @@ -367,8 +355,8 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, goto fin; } - prime_len = BN_num_bytes(data->grp->prime); - order_len = BN_num_bytes(data->grp->order); + prime_len = crypto_ec_prime_len(data->grp->group); + order_len = crypto_ec_order_len(data->grp->group); if (payload_len != 2 * prime_len + order_len) { wpa_printf(MSG_INFO, @@ -378,87 +366,85 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, goto fin; } - if (((data->private_value = BN_new()) == NULL) || - ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) || - ((cofactor = BN_new()) == NULL) || - ((data->my_scalar = BN_new()) == NULL) || - ((mask = BN_new()) == NULL)) { + data->private_value = crypto_bignum_init(); + data->my_element = crypto_ec_point_init(data->grp->group); + cofactor = crypto_bignum_init(); + data->my_scalar = crypto_bignum_init(); + mask = crypto_bignum_init(); + if (!data->private_value || !data->my_element || !cofactor || + !data->my_scalar || !mask) { wpa_printf(MSG_INFO, "EAP-PWD (peer): scalar allocation fail"); goto fin; } - if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) { + if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) { wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get cofactor " "for curve"); goto fin; } - if (BN_rand_range(data->private_value, data->grp->order) != 1 || - BN_rand_range(mask, data->grp->order) != 1 || - BN_add(data->my_scalar, data->private_value, mask) != 1 || - BN_mod(data->my_scalar, data->my_scalar, data->grp->order, - data->bnctx) != 1) { + if (crypto_bignum_rand(data->private_value, + crypto_ec_get_order(data->grp->group)) < 0 || + crypto_bignum_rand(mask, + crypto_ec_get_order(data->grp->group)) < 0 || + crypto_bignum_add(data->private_value, mask, + data->my_scalar) < 0 || + crypto_bignum_mod(data->my_scalar, + crypto_ec_get_order(data->grp->group), + data->my_scalar) < 0) { wpa_printf(MSG_INFO, "EAP-pwd (peer): unable to get randomness"); goto fin; } - if (!EC_POINT_mul(data->grp->group, data->my_element, NULL, - data->grp->pwe, mask, data->bnctx)) { + if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, mask, + data->my_element) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (peer): element allocation " "fail"); eap_pwd_state(data, FAILURE); goto fin; } - if (!EC_POINT_invert(data->grp->group, data->my_element, data->bnctx)) - { + if (crypto_ec_point_invert(data->grp->group, data->my_element) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (peer): element inversion fail"); goto fin; } - if (((x = BN_new()) == NULL) || - ((y = BN_new()) == NULL)) { - wpa_printf(MSG_INFO, "EAP-PWD (peer): point allocation fail"); - goto fin; - } - /* process the request */ - if (((data->server_scalar = BN_new()) == NULL) || - ((data->k = BN_new()) == NULL) || - ((K = EC_POINT_new(data->grp->group)) == NULL) || - ((point = EC_POINT_new(data->grp->group)) == NULL) || - ((data->server_element = EC_POINT_new(data->grp->group)) == NULL)) - { + data->k = crypto_bignum_init(); + K = crypto_ec_point_init(data->grp->group); + point = crypto_ec_point_init(data->grp->group); + if (!data->k || !K || !point) { wpa_printf(MSG_INFO, "EAP-PWD (peer): peer data allocation " "fail"); goto fin; } /* element, x then y, followed by scalar */ - ptr = (u8 *) payload; - BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x); - ptr += BN_num_bytes(data->grp->prime); - BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y); - ptr += BN_num_bytes(data->grp->prime); - BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->server_scalar); - if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group, - data->server_element, x, y, - data->bnctx)) { + ptr = payload; + data->server_element = crypto_ec_point_from_bin(data->grp->group, ptr); + if (!data->server_element) { wpa_printf(MSG_INFO, "EAP-PWD (peer): setting peer element " "fail"); goto fin; } + ptr += prime_len * 2; + data->server_scalar = crypto_bignum_init_set(ptr, order_len); + if (!data->server_scalar) { + wpa_printf(MSG_INFO, + "EAP-PWD (peer): setting peer scalar fail"); + goto fin; + } /* check to ensure server's element is not in a small sub-group */ - if (BN_cmp(cofactor, BN_value_one())) { - if (!EC_POINT_mul(data->grp->group, point, NULL, - data->server_element, cofactor, NULL)) { + if (!crypto_bignum_is_one(cofactor)) { + if (crypto_ec_point_mul(data->grp->group, data->server_element, + cofactor, point) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply " "server element by order!\n"); goto fin; } - if (EC_POINT_is_at_infinity(data->grp->group, point)) { + if (crypto_ec_point_is_at_infinity(data->grp->group, point)) { wpa_printf(MSG_INFO, "EAP-PWD (peer): server element " "is at infinity!\n"); goto fin; @@ -466,21 +452,20 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, } /* compute the shared key, k */ - if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe, - data->server_scalar, data->bnctx)) || - (!EC_POINT_add(data->grp->group, K, K, data->server_element, - data->bnctx)) || - (!EC_POINT_mul(data->grp->group, K, NULL, K, data->private_value, - data->bnctx))) { + if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, + data->server_scalar, K) < 0 || + crypto_ec_point_add(data->grp->group, K, data->server_element, + K) < 0 || + crypto_ec_point_mul(data->grp->group, K, data->private_value, + K) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (peer): computing shared key " "fail"); goto fin; } /* ensure that the shared key isn't in a small sub-group */ - if (BN_cmp(cofactor, BN_value_one())) { - if (!EC_POINT_mul(data->grp->group, K, NULL, K, cofactor, - NULL)) { + if (!crypto_bignum_is_one(cofactor)) { + if (crypto_ec_point_mul(data->grp->group, K, cofactor, K) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (peer): cannot multiply " "shared key point by order"); goto fin; @@ -493,30 +478,22 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, * never going to happen it is a simple and safe check "just to be * sure" so let's be safe. */ - if (EC_POINT_is_at_infinity(data->grp->group, K)) { + if (crypto_ec_point_is_at_infinity(data->grp->group, K)) { wpa_printf(MSG_INFO, "EAP-PWD (peer): shared key point is at " "infinity!\n"); goto fin; } - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, K, data->k, - NULL, data->bnctx)) { + if (crypto_ec_point_x(data->grp->group, K, data->k) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to extract " "shared secret from point"); goto fin; } /* now do the response */ - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, - data->my_element, x, y, - data->bnctx)) { - wpa_printf(MSG_INFO, "EAP-PWD (peer): point assignment fail"); - goto fin; - } - - if (((scalar = os_malloc(BN_num_bytes(data->grp->order))) == NULL) || - ((element = os_malloc(BN_num_bytes(data->grp->prime) * 2)) == - NULL)) { + scalar = os_zalloc(order_len); + element = os_zalloc(prime_len * 2); + if (!scalar || !element) { wpa_printf(MSG_INFO, "EAP-PWD (peer): data allocation fail"); goto fin; } @@ -526,36 +503,28 @@ eap_pwd_perform_commit_exchange(struct eap_sm *sm, struct eap_pwd_data *data, * sufficiently smaller than the prime or order might need pre-pending * with zeros. */ - os_memset(scalar, 0, BN_num_bytes(data->grp->order)); - os_memset(element, 0, BN_num_bytes(data->grp->prime) * 2); - offset = BN_num_bytes(data->grp->order) - - BN_num_bytes(data->my_scalar); - BN_bn2bin(data->my_scalar, scalar + offset); + crypto_bignum_to_bin(data->my_scalar, scalar, order_len, order_len); + if (crypto_ec_point_to_bin(data->grp->group, data->my_element, element, + element + prime_len) != 0) { + wpa_printf(MSG_INFO, "EAP-PWD (peer): point assignment fail"); + goto fin; + } - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); - BN_bn2bin(x, element + offset); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); - BN_bn2bin(y, element + BN_num_bytes(data->grp->prime) + offset); - - data->outbuf = wpabuf_alloc(BN_num_bytes(data->grp->order) + - 2 * BN_num_bytes(data->grp->prime)); + data->outbuf = wpabuf_alloc(order_len + 2 * prime_len); if (data->outbuf == NULL) goto fin; /* we send the element as (x,y) follwed by the scalar */ - wpabuf_put_data(data->outbuf, element, - 2 * BN_num_bytes(data->grp->prime)); - wpabuf_put_data(data->outbuf, scalar, BN_num_bytes(data->grp->order)); + wpabuf_put_data(data->outbuf, element, 2 * prime_len); + wpabuf_put_data(data->outbuf, scalar, order_len); fin: os_free(scalar); os_free(element); - BN_clear_free(x); - BN_clear_free(y); - BN_clear_free(mask); - BN_clear_free(cofactor); - EC_POINT_clear_free(K); - EC_POINT_clear_free(point); + crypto_bignum_deinit(mask, 1); + crypto_bignum_deinit(cofactor, 1); + crypto_ec_point_deinit(K, 1); + crypto_ec_point_deinit(point, 1); if (data->outbuf == NULL) eap_pwd_state(data, FAILURE); else @@ -569,12 +538,11 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, const struct wpabuf *reqData, const u8 *payload, size_t payload_len) { - BIGNUM *x = NULL, *y = NULL; struct crypto_hash *hash; u32 cs; u16 grp; u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; - int offset; + size_t prime_len = 0, order_len = 0; if (data->state != PWD_Confirm_Req) { ret->ignore = TRUE; @@ -588,6 +556,9 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, goto fin; } + prime_len = crypto_ec_prime_len(data->grp->group); + order_len = crypto_ec_order_len(data->grp->group); + /* * first build up the ciphersuite which is group | random_function | * prf @@ -600,9 +571,9 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, ptr += sizeof(u8); *ptr = EAP_PWD_DEFAULT_PRF; - /* each component of the cruft will be at most as big as the prime */ - if (((cruft = os_malloc(BN_num_bytes(data->grp->prime))) == NULL) || - ((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) { + /* each component of the point will be at most as big as the prime */ + cruft = os_malloc(prime_len * 2); + if (!cruft) { wpa_printf(MSG_INFO, "EAP-PWD (server): confirm allocation " "fail"); goto fin; @@ -620,59 +591,34 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, * zero the memory each time because this is mod prime math and some * value may start with a few zeros and the previous one did not. */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k); - BN_bn2bin(data->k, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len); + eap_pwd_h_update(hash, cruft, prime_len); /* server element: x, y */ - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, - data->server_element, x, y, - data->bnctx)) { + if (crypto_ec_point_to_bin(data->grp->group, data->server_element, + cruft, cruft + prime_len) != 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point " "assignment fail"); goto fin; } - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); - BN_bn2bin(x, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); - BN_bn2bin(y, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + eap_pwd_h_update(hash, cruft, prime_len * 2); /* server scalar */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->order) - - BN_num_bytes(data->server_scalar); - BN_bn2bin(data->server_scalar, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order)); + crypto_bignum_to_bin(data->server_scalar, cruft, order_len, order_len); + eap_pwd_h_update(hash, cruft, order_len); /* my element: x, y */ - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, - data->my_element, x, y, - data->bnctx)) { + if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft, + cruft + prime_len) != 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point " "assignment fail"); goto fin; } - - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); - BN_bn2bin(x, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); - BN_bn2bin(y, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + eap_pwd_h_update(hash, cruft, prime_len * 2); /* my scalar */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->order) - - BN_num_bytes(data->my_scalar); - BN_bn2bin(data->my_scalar, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order)); + crypto_bignum_to_bin(data->my_scalar, cruft, order_len, order_len); + eap_pwd_h_update(hash, cruft, order_len); /* the ciphersuite */ eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32)); @@ -698,58 +644,34 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, goto fin; /* k */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k); - BN_bn2bin(data->k, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len); + eap_pwd_h_update(hash, cruft, prime_len); /* my element */ - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, - data->my_element, x, y, - data->bnctx)) { + if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft, + cruft + prime_len) != 0) { wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point " "assignment fail"); goto fin; } - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); - BN_bn2bin(x, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); - BN_bn2bin(y, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + eap_pwd_h_update(hash, cruft, prime_len * 2); /* my scalar */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->order) - - BN_num_bytes(data->my_scalar); - BN_bn2bin(data->my_scalar, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order)); + crypto_bignum_to_bin(data->my_scalar, cruft, order_len, order_len); + eap_pwd_h_update(hash, cruft, order_len); /* server element: x, y */ - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, - data->server_element, x, y, - data->bnctx)) { + if (crypto_ec_point_to_bin(data->grp->group, data->server_element, + cruft, cruft + prime_len) != 0) { wpa_printf(MSG_INFO, "EAP-PWD (peer): confirm point " "assignment fail"); goto fin; } - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); - BN_bn2bin(x, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); - BN_bn2bin(y, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + eap_pwd_h_update(hash, cruft, prime_len * 2); /* server scalar */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->order) - - BN_num_bytes(data->server_scalar); - BN_bn2bin(data->server_scalar, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order)); + crypto_bignum_to_bin(data->server_scalar, cruft, order_len, order_len); + eap_pwd_h_update(hash, cruft, order_len); /* the ciphersuite */ eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32)); @@ -757,7 +679,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, /* all done */ eap_pwd_h_final(hash, conf); - if (compute_keys(data->grp, data->bnctx, data->k, + if (compute_keys(data->grp, data->k, data->my_scalar, data->server_scalar, conf, ptr, &cs, data->msk, data->emsk, data->session_id) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (peer): unable to compute MSK | " @@ -772,10 +694,7 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN); fin: - if (data->grp) - bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); - BN_clear_free(x); - BN_clear_free(y); + bin_clear_free(cruft, prime_len * 2); if (data->outbuf == NULL) { ret->methodState = METHOD_DONE; ret->decision = DECISION_FAIL; diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c index 9dca7d032..835ea09ae 100644 --- a/src/eap_server/eap_server_pwd.c +++ b/src/eap_server/eap_server_pwd.c @@ -11,6 +11,7 @@ #include "common.h" #include "crypto/sha256.h" #include "crypto/ms_funcs.h" +#include "crypto/crypto.h" #include "eap_server/eap_i.h" #include "eap_common/eap_pwd_common.h" @@ -36,20 +37,18 @@ struct eap_pwd_data { size_t out_frag_pos; size_t mtu; - BIGNUM *k; - BIGNUM *private_value; - BIGNUM *peer_scalar; - BIGNUM *my_scalar; - EC_POINT *my_element; - EC_POINT *peer_element; + struct crypto_bignum *k; + struct crypto_bignum *private_value; + struct crypto_bignum *peer_scalar; + struct crypto_bignum *my_scalar; + struct crypto_ec_point *my_element; + struct crypto_ec_point *peer_element; u8 my_confirm[SHA256_MAC_LEN]; u8 msk[EAP_MSK_LEN]; u8 emsk[EAP_EMSK_LEN]; u8 session_id[1 + SHA256_MAC_LEN]; - - BN_CTX *bnctx; }; @@ -116,15 +115,6 @@ static void * eap_pwd_init(struct eap_sm *sm) os_memcpy(data->password, sm->user->password, data->password_len); data->password_hash = sm->user->password_hash; - data->bnctx = BN_CTX_new(); - if (data->bnctx == NULL) { - wpa_printf(MSG_INFO, "EAP-PWD: bn context allocation fail"); - bin_clear_free(data->password, data->password_len); - bin_clear_free(data->id_server, data->id_server_len); - os_free(data); - return NULL; - } - data->in_frag_pos = data->out_frag_pos = 0; data->inbuf = data->outbuf = NULL; /* use default MTU from RFC 5931 if not configured otherwise */ @@ -138,21 +128,18 @@ static void eap_pwd_reset(struct eap_sm *sm, void *priv) { struct eap_pwd_data *data = priv; - BN_clear_free(data->private_value); - BN_clear_free(data->peer_scalar); - BN_clear_free(data->my_scalar); - BN_clear_free(data->k); - BN_CTX_free(data->bnctx); - EC_POINT_clear_free(data->my_element); - EC_POINT_clear_free(data->peer_element); + crypto_bignum_deinit(data->private_value, 1); + crypto_bignum_deinit(data->peer_scalar, 1); + crypto_bignum_deinit(data->my_scalar, 1); + crypto_bignum_deinit(data->k, 1); + crypto_ec_point_deinit(data->my_element, 1); + crypto_ec_point_deinit(data->peer_element, 1); bin_clear_free(data->id_peer, data->id_peer_len); bin_clear_free(data->id_server, data->id_server_len); bin_clear_free(data->password, data->password_len); if (data->grp) { - EC_GROUP_free(data->grp->group); - EC_POINT_clear_free(data->grp->pwe); - BN_clear_free(data->grp->order); - BN_clear_free(data->grp->prime); + crypto_ec_deinit(data->grp->group); + crypto_ec_point_deinit(data->grp->pwe, 1); os_free(data->grp); } wpabuf_free(data->inbuf); @@ -198,9 +185,9 @@ static void eap_pwd_build_id_req(struct eap_sm *sm, struct eap_pwd_data *data, static void eap_pwd_build_commit_req(struct eap_sm *sm, struct eap_pwd_data *data, u8 id) { - BIGNUM *mask = NULL, *x = NULL, *y = NULL; + struct crypto_bignum *mask = NULL; u8 *scalar = NULL, *element = NULL; - u16 offset; + size_t prime_len, order_len; wpa_printf(MSG_DEBUG, "EAP-pwd: Commit/Request"); /* @@ -210,93 +197,75 @@ static void eap_pwd_build_commit_req(struct eap_sm *sm, if (data->out_frag_pos) return; - if (((data->private_value = BN_new()) == NULL) || - ((data->my_element = EC_POINT_new(data->grp->group)) == NULL) || - ((data->my_scalar = BN_new()) == NULL) || - ((mask = BN_new()) == NULL)) { + prime_len = crypto_ec_prime_len(data->grp->group); + order_len = crypto_ec_order_len(data->grp->group); + + data->private_value = crypto_bignum_init(); + data->my_element = crypto_ec_point_init(data->grp->group); + data->my_scalar = crypto_bignum_init(); + mask = crypto_bignum_init(); + if (!data->private_value || !data->my_element || !data->my_scalar || + !mask) { wpa_printf(MSG_INFO, "EAP-PWD (server): scalar allocation " "fail"); goto fin; } - if (BN_rand_range(data->private_value, data->grp->order) != 1 || - BN_rand_range(mask, data->grp->order) != 1 || - BN_add(data->my_scalar, data->private_value, mask) != 1 || - BN_mod(data->my_scalar, data->my_scalar, data->grp->order, - data->bnctx) != 1) { + if (crypto_bignum_rand(data->private_value, + crypto_ec_get_order(data->grp->group)) < 0 || + crypto_bignum_rand(mask, + crypto_ec_get_order(data->grp->group)) < 0 || + crypto_bignum_add(data->private_value, mask, data->my_scalar) < 0 || + crypto_bignum_mod(data->my_scalar, + crypto_ec_get_order(data->grp->group), + data->my_scalar) < 0) { wpa_printf(MSG_INFO, "EAP-pwd (server): unable to get randomness"); goto fin; } - if (!EC_POINT_mul(data->grp->group, data->my_element, NULL, - data->grp->pwe, mask, data->bnctx)) { + if (crypto_ec_point_mul(data->grp->group, data->grp->pwe, mask, + data->my_element) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): element allocation " "fail"); eap_pwd_state(data, FAILURE); goto fin; } - if (!EC_POINT_invert(data->grp->group, data->my_element, data->bnctx)) - { + if (crypto_ec_point_invert(data->grp->group, data->my_element) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): element inversion " "fail"); goto fin; } - BN_clear_free(mask); - if (((x = BN_new()) == NULL) || - ((y = BN_new()) == NULL)) { - wpa_printf(MSG_INFO, "EAP-PWD (server): point allocation " - "fail"); + scalar = os_malloc(order_len); + element = os_malloc(prime_len * 2); + if (!scalar || !element) { + wpa_printf(MSG_INFO, "EAP-PWD (server): data allocation fail"); goto fin; } - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, - data->my_element, x, y, - data->bnctx)) { + + if (crypto_ec_point_to_bin(data->grp->group, data->my_element, element, + element + prime_len) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): point assignment " "fail"); goto fin; } - if (((scalar = os_malloc(BN_num_bytes(data->grp->order))) == NULL) || - ((element = os_malloc(BN_num_bytes(data->grp->prime) * 2)) == - NULL)) { - wpa_printf(MSG_INFO, "EAP-PWD (server): data allocation fail"); - goto fin; - } + crypto_bignum_to_bin(data->my_scalar, scalar, order_len, order_len); - /* - * bignums occupy as little memory as possible so one that is - * sufficiently smaller than the prime or order might need pre-pending - * with zeros. - */ - os_memset(scalar, 0, BN_num_bytes(data->grp->order)); - os_memset(element, 0, BN_num_bytes(data->grp->prime) * 2); - offset = BN_num_bytes(data->grp->order) - - BN_num_bytes(data->my_scalar); - BN_bn2bin(data->my_scalar, scalar + offset); - - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); - BN_bn2bin(x, element + offset); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); - BN_bn2bin(y, element + BN_num_bytes(data->grp->prime) + offset); - - data->outbuf = wpabuf_alloc(2 * BN_num_bytes(data->grp->prime) + - BN_num_bytes(data->grp->order)); + data->outbuf = wpabuf_alloc(2 * prime_len + order_len); if (data->outbuf == NULL) goto fin; /* We send the element as (x,y) followed by the scalar */ - wpabuf_put_data(data->outbuf, element, - 2 * BN_num_bytes(data->grp->prime)); - wpabuf_put_data(data->outbuf, scalar, BN_num_bytes(data->grp->order)); + wpabuf_put_data(data->outbuf, element, 2 * prime_len); + wpabuf_put_data(data->outbuf, scalar, order_len); fin: + crypto_bignum_deinit(mask, 1); os_free(scalar); os_free(element); - BN_clear_free(x); - BN_clear_free(y); if (data->outbuf == NULL) eap_pwd_state(data, FAILURE); } @@ -305,11 +274,10 @@ fin: static void eap_pwd_build_confirm_req(struct eap_sm *sm, struct eap_pwd_data *data, u8 id) { - BIGNUM *x = NULL, *y = NULL; struct crypto_hash *hash; u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; u16 grp; - int offset; + size_t prime_len, order_len; wpa_printf(MSG_DEBUG, "EAP-pwd: Confirm/Request"); /* @@ -319,9 +287,12 @@ static void eap_pwd_build_confirm_req(struct eap_sm *sm, if (data->out_frag_pos) return; + prime_len = crypto_ec_prime_len(data->grp->group); + order_len = crypto_ec_order_len(data->grp->group); + /* Each component of the cruft will be at most as big as the prime */ - if (((cruft = os_malloc(BN_num_bytes(data->grp->prime))) == NULL) || - ((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) { + cruft = os_malloc(prime_len * 2); + if (!cruft) { wpa_printf(MSG_INFO, "EAP-PWD (server): debug allocation " "fail"); goto fin; @@ -341,64 +312,38 @@ static void eap_pwd_build_confirm_req(struct eap_sm *sm, * * First is k */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k); - BN_bn2bin(data->k, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len); + eap_pwd_h_update(hash, cruft, prime_len); /* server element: x, y */ - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, - data->my_element, x, y, - data->bnctx)) { + if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft, + cruft + prime_len) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point " "assignment fail"); goto fin; } - - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); - BN_bn2bin(x, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); - BN_bn2bin(y, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + eap_pwd_h_update(hash, cruft, prime_len * 2); /* server scalar */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->order) - - BN_num_bytes(data->my_scalar); - BN_bn2bin(data->my_scalar, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order)); + crypto_bignum_to_bin(data->my_scalar, cruft, order_len, order_len); + eap_pwd_h_update(hash, cruft, order_len); /* peer element: x, y */ - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, - data->peer_element, x, y, - data->bnctx)) { + if (crypto_ec_point_to_bin(data->grp->group, data->peer_element, cruft, + cruft + prime_len) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point " "assignment fail"); goto fin; } - - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); - BN_bn2bin(x, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); - BN_bn2bin(y, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + eap_pwd_h_update(hash, cruft, prime_len * 2); /* peer scalar */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->order) - - BN_num_bytes(data->peer_scalar); - BN_bn2bin(data->peer_scalar, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order)); + crypto_bignum_to_bin(data->peer_scalar, cruft, order_len, order_len); + eap_pwd_h_update(hash, cruft, order_len); /* ciphersuite */ grp = htons(data->group_num); - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); + os_memset(cruft, 0, prime_len); ptr = cruft; os_memcpy(ptr, &grp, sizeof(u16)); ptr += sizeof(u16); @@ -419,9 +364,7 @@ static void eap_pwd_build_confirm_req(struct eap_sm *sm, wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN); fin: - bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); - BN_clear_free(x); - BN_clear_free(y); + bin_clear_free(cruft, prime_len * 2); if (data->outbuf == NULL) eap_pwd_state(data, FAILURE); } @@ -649,7 +592,7 @@ static void eap_pwd_process_id_resp(struct eap_sm *sm, return; } wpa_printf(MSG_DEBUG, "EAP-PWD (server): computed %d bit PWE...", - BN_num_bits(data->grp->prime)); + (int) crypto_ec_prime_len_bits(data->grp->group)); eap_pwd_state(data, PWD_Commit_Req); } @@ -659,16 +602,16 @@ static void eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, const u8 *payload, size_t payload_len) { - u8 *ptr; - BIGNUM *x = NULL, *y = NULL, *cofactor = NULL; - EC_POINT *K = NULL, *point = NULL; + const u8 *ptr; + struct crypto_bignum *cofactor = NULL; + struct crypto_ec_point *K = NULL, *point = NULL; int res = 0; size_t prime_len, order_len; wpa_printf(MSG_DEBUG, "EAP-pwd: Received commit response"); - prime_len = BN_num_bytes(data->grp->prime); - order_len = BN_num_bytes(data->grp->order); + prime_len = crypto_ec_prime_len(data->grp->group); + order_len = crypto_ec_order_len(data->grp->group); if (payload_len != 2 * prime_len + order_len) { wpa_printf(MSG_INFO, @@ -678,49 +621,47 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, goto fin; } - if (((data->peer_scalar = BN_new()) == NULL) || - ((data->k = BN_new()) == NULL) || - ((cofactor = BN_new()) == NULL) || - ((x = BN_new()) == NULL) || - ((y = BN_new()) == NULL) || - ((point = EC_POINT_new(data->grp->group)) == NULL) || - ((K = EC_POINT_new(data->grp->group)) == NULL) || - ((data->peer_element = EC_POINT_new(data->grp->group)) == NULL)) { + data->k = crypto_bignum_init(); + cofactor = crypto_bignum_init(); + point = crypto_ec_point_init(data->grp->group); + K = crypto_ec_point_init(data->grp->group); + if (!data->k || !cofactor || !point || !K) { wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation " "fail"); goto fin; } - if (!EC_GROUP_get_cofactor(data->grp->group, cofactor, NULL)) { + if (crypto_ec_cofactor(data->grp->group, cofactor) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): unable to get " "cofactor for curve"); goto fin; } /* element, x then y, followed by scalar */ - ptr = (u8 *) payload; - BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), x); - ptr += BN_num_bytes(data->grp->prime); - BN_bin2bn(ptr, BN_num_bytes(data->grp->prime), y); - ptr += BN_num_bytes(data->grp->prime); - BN_bin2bn(ptr, BN_num_bytes(data->grp->order), data->peer_scalar); - if (!EC_POINT_set_affine_coordinates_GFp(data->grp->group, - data->peer_element, x, y, - data->bnctx)) { + ptr = payload; + data->peer_element = crypto_ec_point_from_bin(data->grp->group, ptr); + if (!data->peer_element) { wpa_printf(MSG_INFO, "EAP-PWD (server): setting peer element " "fail"); goto fin; } + ptr += prime_len * 2; + data->peer_scalar = crypto_bignum_init_set(ptr, order_len); + if (!data->peer_scalar) { + wpa_printf(MSG_INFO, "EAP-PWD (server): peer data allocation " + "fail"); + goto fin; + } /* check to ensure peer's element is not in a small sub-group */ - if (BN_cmp(cofactor, BN_value_one())) { - if (!EC_POINT_mul(data->grp->group, point, NULL, - data->peer_element, cofactor, NULL)) { + if (!crypto_bignum_is_one(cofactor)) { + if (crypto_ec_point_mul(data->grp->group, data->peer_element, + cofactor, point) != 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): cannot " "multiply peer element by order"); goto fin; } - if (EC_POINT_is_at_infinity(data->grp->group, point)) { + if (crypto_ec_point_is_at_infinity(data->grp->group, point)) { wpa_printf(MSG_INFO, "EAP-PWD (server): peer element " "is at infinity!\n"); goto fin; @@ -728,21 +669,21 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, } /* compute the shared key, k */ - if ((!EC_POINT_mul(data->grp->group, K, NULL, data->grp->pwe, - data->peer_scalar, data->bnctx)) || - (!EC_POINT_add(data->grp->group, K, K, data->peer_element, - data->bnctx)) || - (!EC_POINT_mul(data->grp->group, K, NULL, K, data->private_value, - data->bnctx))) { + if ((crypto_ec_point_mul(data->grp->group, data->grp->pwe, + data->peer_scalar, K) < 0) || + (crypto_ec_point_add(data->grp->group, K, data->peer_element, + K) < 0) || + (crypto_ec_point_mul(data->grp->group, K, data->private_value, + K) < 0)) { wpa_printf(MSG_INFO, "EAP-PWD (server): computing shared key " "fail"); goto fin; } /* ensure that the shared key isn't in a small sub-group */ - if (BN_cmp(cofactor, BN_value_one())) { - if (!EC_POINT_mul(data->grp->group, K, NULL, K, cofactor, - NULL)) { + if (!crypto_bignum_is_one(cofactor)) { + if (crypto_ec_point_mul(data->grp->group, K, cofactor, + K) != 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): cannot " "multiply shared key point by order!\n"); goto fin; @@ -755,13 +696,12 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, * never going to happen it is a simple and safe check "just to be * sure" so let's be safe. */ - if (EC_POINT_is_at_infinity(data->grp->group, K)) { + if (crypto_ec_point_is_at_infinity(data->grp->group, K)) { wpa_printf(MSG_INFO, "EAP-PWD (server): shared key point is " "at infinity"); goto fin; } - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, K, data->k, - NULL, data->bnctx)) { + if (crypto_ec_point_x(data->grp->group, K, data->k)) { wpa_printf(MSG_INFO, "EAP-PWD (server): unable to extract " "shared secret from secret point"); goto fin; @@ -769,11 +709,9 @@ eap_pwd_process_commit_resp(struct eap_sm *sm, struct eap_pwd_data *data, res = 1; fin: - EC_POINT_clear_free(K); - EC_POINT_clear_free(point); - BN_clear_free(cofactor); - BN_clear_free(x); - BN_clear_free(y); + crypto_ec_point_deinit(K, 1); + crypto_ec_point_deinit(point, 1); + crypto_bignum_deinit(cofactor, 1); if (res) eap_pwd_state(data, PWD_Confirm_Req); @@ -786,12 +724,14 @@ static void eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, const u8 *payload, size_t payload_len) { - BIGNUM *x = NULL, *y = NULL; struct crypto_hash *hash; u32 cs; u16 grp; u8 conf[SHA256_MAC_LEN], *cruft = NULL, *ptr; - int offset; + size_t prime_len, order_len; + + prime_len = crypto_ec_prime_len(data->grp->group); + order_len = crypto_ec_order_len(data->grp->group); if (payload_len != SHA256_MAC_LEN) { wpa_printf(MSG_INFO, @@ -810,8 +750,8 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, *ptr = EAP_PWD_DEFAULT_PRF; /* each component of the cruft will be at most as big as the prime */ - if (((cruft = os_malloc(BN_num_bytes(data->grp->prime))) == NULL) || - ((x = BN_new()) == NULL) || ((y = BN_new()) == NULL)) { + cruft = os_malloc(prime_len * 2); + if (!cruft) { wpa_printf(MSG_INFO, "EAP-PWD (peer): allocation fail"); goto fin; } @@ -825,62 +765,36 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, goto fin; /* k */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(data->k); - BN_bn2bin(data->k, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + crypto_bignum_to_bin(data->k, cruft, prime_len, prime_len); + eap_pwd_h_update(hash, cruft, prime_len); /* peer element: x, y */ - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, - data->peer_element, x, y, - data->bnctx)) { + if (crypto_ec_point_to_bin(data->grp->group, data->peer_element, cruft, + cruft + prime_len) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point " "assignment fail"); goto fin; } - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); - BN_bn2bin(x, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); - BN_bn2bin(y, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + eap_pwd_h_update(hash, cruft, prime_len * 2); /* peer scalar */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->order) - - BN_num_bytes(data->peer_scalar); - BN_bn2bin(data->peer_scalar, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order)); + crypto_bignum_to_bin(data->peer_scalar, cruft, order_len, order_len); + eap_pwd_h_update(hash, cruft, order_len); /* server element: x, y */ - if (!EC_POINT_get_affine_coordinates_GFp(data->grp->group, - data->my_element, x, y, - data->bnctx)) { + if (crypto_ec_point_to_bin(data->grp->group, data->my_element, cruft, + cruft + prime_len) < 0) { wpa_printf(MSG_INFO, "EAP-PWD (server): confirm point " "assignment fail"); goto fin; } - - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(x); - BN_bn2bin(x, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->prime) - BN_num_bytes(y); - BN_bn2bin(y, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->prime)); + eap_pwd_h_update(hash, cruft, prime_len * 2); /* server scalar */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); - offset = BN_num_bytes(data->grp->order) - - BN_num_bytes(data->my_scalar); - BN_bn2bin(data->my_scalar, cruft + offset); - eap_pwd_h_update(hash, cruft, BN_num_bytes(data->grp->order)); + crypto_bignum_to_bin(data->my_scalar, cruft, order_len, order_len); + eap_pwd_h_update(hash, cruft, order_len); /* ciphersuite */ - os_memset(cruft, 0, BN_num_bytes(data->grp->prime)); eap_pwd_h_update(hash, (u8 *) &cs, sizeof(u32)); /* all done */ @@ -894,7 +808,7 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, } wpa_printf(MSG_DEBUG, "EAP-pwd (server): confirm verified"); - if (compute_keys(data->grp, data->bnctx, data->k, + if (compute_keys(data->grp, data->k, data->peer_scalar, data->my_scalar, conf, data->my_confirm, &cs, data->msk, data->emsk, data->session_id) < 0) @@ -903,9 +817,7 @@ eap_pwd_process_confirm_resp(struct eap_sm *sm, struct eap_pwd_data *data, eap_pwd_state(data, SUCCESS); fin: - bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); - BN_clear_free(x); - BN_clear_free(y); + bin_clear_free(cruft, prime_len * 2); } diff --git a/wpa_supplicant/Android.mk b/wpa_supplicant/Android.mk index 1faff2ecd..12e0bb94c 100644 --- a/wpa_supplicant/Android.mk +++ b/wpa_supplicant/Android.mk @@ -684,6 +684,7 @@ L_CFLAGS += -DEAP_PWD OBJS += src/eap_peer/eap_pwd.c src/eap_common/eap_pwd_common.c CONFIG_IEEE8021X_EAPOL=y NEED_SHA256=y +NEED_ECC=y endif ifdef CONFIG_EAP_EKE diff --git a/wpa_supplicant/Makefile b/wpa_supplicant/Makefile index 65205d8eb..2ec011fc5 100644 --- a/wpa_supplicant/Makefile +++ b/wpa_supplicant/Makefile @@ -712,6 +712,7 @@ CFLAGS += -DEAP_PWD OBJS += ../src/eap_peer/eap_pwd.o ../src/eap_common/eap_pwd_common.o CONFIG_IEEE8021X_EAPOL=y NEED_SHA256=y +NEED_ECC=y endif ifdef CONFIG_EAP_EKE